Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see
Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to
www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for RADIUS-Based Policing

You must configure all traffic classes on the ISG before referencing the classes in policy maps.

You must configure and apply QoS policy maps on the ISG before the ISG can construct and apply an ANCP-based dynamic service policy.

Restrictions for RADIUS-Based Policing

Per-service policing cannot be configured on the class-default class at the parent level of a hierarchical policy. You can configure per-service policing on class-default classes at the child or grandchild level.

Transient policies are not visible in the running-configuration file. Only the original policy configuration is visible.

Parameterized QoS is not supported for IP sessions.

The parameterized Access Control List (pACL) name is limited to 80 characters. The pACL name is formed by concatenating the ACL entries in the RADIUS CoA or Access-Accept message to the ACL name configured on the ISG. If the pACL name exceeds 80 characters the parameterization operation fails and an error message displays. For a CoA message, the ISG also sends a negative Ack (Nack) response to the RADIUS server.

If there is a concatenated service-activation push, QoS policies are applied first and then service activation occurs. If a concatenated service activation fails, any QoS policies applied are not rolled back.

Information About RADIUS-Based Policing

RADIUS Attributes

RADIUS communicates with ISG by embedding specific attributes in Access-Accept and change of authentication (CoA) messages. RADIUS-based shaping and policing employs this exchange of attributes to activate and deactivate services and to modify the active quality of service (QoS) policy applied to a session. The RADIUS server determines the new shaping or policing rate based on vendor-specific attributes (VSAs) configured in a subscriber’s user profile on RADIUS and on the Advanced Node Control Protocol (ANCP)-signaled rate received from ISG.

After receiving the Access-Accept or CoA message, ISG copies the original policy map applied to the session and changes the shaping or policing rate of the copied, transient policy as indicated by RADIUS. ISG does not change the shaping rate of the original policy. After changing the transient policy, ISG applies the transient policy to the subscriber service.

The following sections describe the RADIUS attributes used in RADIUS-based policing:

RADIUS Attributes 250 and 252

RADIUS uses attribute 250 in Access-Accept messages and attribute 252 in CoA messages to activate and deactivate parameterized services. ISG services are configured locally on the ISG device; RADIUS sends only the service name.

Attributes 250 and 252 have the following syntax for service activation:

Access-Accept Messages

250 "Aservice(parameter1=value,parameter2=value,...)"

CoA Messages

252 0b "service(parameter1=value,parameter2=value,...)"

RADIUS uses only Attribute 252 in a CoA message when deactivating a service. RADIUS sends the same information in Attribute 252 that was used for service activation, except that service deactivation uses 0c in the syntax instead of the 0b parameter used for service activation.

252 0xC "service(parameter1=value,parameter2=value,...)"

VSA 252 has the above syntax for service deactivation.

Cisco VSA 1

RADIUS uses a vendor-specific attribute (VSA) 1 command to modify the active QoS policy on a session. This VSA has the following format:

av-pair = "policy-type=command9parameter1,...,parametern"

Use the following Cisco VSA 1 format to add and remove classes and QoS actions to and from the QoS policy that is currently active on a session:

Before the ISG can construct a policy using the policing parameters specified in the RADIUS message, a QoS policy must be active on the session. If a QoS policy is not active in the specified direction, the ISG does not create the policy.

When implementing the changes specified in the Cisco VSA, the ISG does not make the changes to the originally configured QoS policy on the ISG device. Instead, the ISG copies the active QoS policy for the session and then makes the required changes to the policy copy, which is referred to as a transient policy
. The originally configured QoS policy on the ISG device is not changed.

The following sections describe the Cisco VSA 1 commands used to automatically modify policing parameters of active policies:

target field—Indicates the QoS policy to be modified. The only valid value for this field is sub, which indicates the active QoS policy attached to the subscriber session. The Access-Accept or CoA message that includes this attribute must be targeting a subscriber session.

class-list field—A list of class names enclosed in parentheses that identifies the traffic class to which the specified QoS action applies. The class names you specify must be either user-configured class maps or the system-generated class-default class. The order in which you specify the class names indicates the hierarchical level of the class within the QoS policy.

For example, the following class list identifies the class named “voip”, which gets added to a nested policy. The VoIP class is configured in a nested child policy that is applied to the parent class-default class.

(class-default, voip)

ISG Configuration

The following class list specifies the voip-2 class, which is configured in a nested policy that is applied to the voip-aggregate class of another nested child policy. The policy containing the voip-aggregate class is in turn nested under the class-default class of the QoS policy attached to the target session.

(class-default, voip-aggregate, voip-2)

MSQ Configuration

The
qos-actions-list field indicates a QoS action such as police, followed by the action parameters enclosed in parentheses and separated by commas. For example, the following sample configuration specifies the police action and defines the parameters
bps,
burst-normal,
burst-max,
conform-action,
exceed-action, and
violate-action. Parentheses enclose the action parameters.

(voip-aggregate police(200000,9216,0,transmit,drop,drop))

Note

The example shows a double-parenthesis at the end, because the syntax of the VSA specifies enclosure of the target, class-list, and qos-actions-list in parentheses.

Remove-Class Primitive

To remove traffic classes and QoS actions defined in the active QoS policy on a session, use the remove-class primitive. This attribute has the following format:

target field—Indicates the QoS policy to be modified. The only valid value for this field is sub, which indicates the active QoS policy attached to the subscriber session. The Access-Accept or CoA message that includes this attribute must be targeting a subscriber session.

class-list field—A list of class names enclosed in parentheses that identifies the class or classes to be removed. The class names you specify must be either user-configured class maps or the system-generated class-default class. The order in which you specify the class names indicates the hierarchical level of the class within the QoS policy.

For example, the following VSA1 attribute removes the Bronze class and all associated QoS policy actions from the nested child policy that is applied to the parent class-default class:

qos-policy-out=remove-class(sub,(class-default,Bronze))

When you remove a traffic class from a QoS policy, all of the attributes for the class are also removed. To re-add the class with the same attributes, you must reissue the add-class RADIUS attribute and provide the required parameters and values.

Parameterized QoS Policy as VSA 1

Multiple complex strings in a CoA message are not supported because they do not display the correct behavior of VSA 1, as shown in the following example:

Parameterized QoS policy in the second command syntax is not echoed in the ISG service.

Parameterized QoS policy in the first command syntax is echoed.

Parameterization of QoS ACLs

The Parameterization of QoS Access Control Lists (ACLs) feature supports multiple ISG and QoS parameterized services in a single Access-Accept or CoA message. This feature allows the authentication, authorization, and accounting (AAA) device to change parameters dynamically.

HA Support for RADIUS-Based Policing

The ISG Policy HA and RADIUS-Based Policing HA feature adds stateful switchover (SSO) and In Service Software Upgrade (ISSU) support to ISG RADIUS-Based Policing for QoS parameterization that is configured through template services.

When the ISG receives a RADIUS Access-Accept or change of authentication (CoA) message with this VSA included, the ISG copies the currently configured policy map applied on the session and changes the shaping rate of the transient parent class-default class to the shaping rate specified in the VSA. The ISG makes changes only to the transient policy; no changes are made to the original policy map. After changing the transient policy, the ISG applies the transient policy to the subscriber session.

Configuring per-Service Shaping and Policing

Configuring a Hierarchical QoS Child Policy with Shaping and Policing on ISG

When the ISG receives a RADIUS Access-Accept or CoA message with these VSAs included, the ISG copies the originally configured policy map that is active on the session and changes the shaping or policing rate of the traffic class specified in the class-list field. The ISG makes changes only to the transient policy and applies the transient policy to the subscriber service; no changes are made to the original policy map.

Note

Per-service shaping and policing do not apply to the parent class-default class.

For more information, see the “RADIUS Attributes” section.

Verifying RADIUS-Based Policing

To verify the configuration of RADIUS-based policing on the ISG, use any of the following commands in privileged EXEC mode.

Command

Purpose

showpolicy-mapinterface

Displays the configuration of all classes configured for all policy maps attached to all interfaces.

showpolicy-mapinterfaceinterface [input |
output]]

Displays the configuration of all classes configured for all inbound or outbound policy maps attached to the specified interface.

interfaceis the name of the interface or subinterface.

input indicates the statistics for the attached inbound policy.

output indicates the statistics for the attached outbound policy. If you do not specify
input or
output, the router shows information about all classes that are configured for all inbound and outbound policies attached to the interface you specify.

showpolicy-mappolicy-map-name

Displays the configuration of all of the traffic classes contained in the policy map you specify.

policy-map-name is the name of the policy map for the configuration information you want to appear.

If you do not specify a value for the
policy-map-nameargument, the command shows the configuration of all policy maps configured on the router.

showpolicy-mappolicy-map-nameclassclass-name

Displays the configuration of the class you specify. The policy map you specify includes this class.

policy-map-name is the name of the policy map that contains the class configuration you want to appear.

class-name is the name of the class whose configuration you want to. If you do not specify a value for the
class-nameargument, the command shows the configuration of all of the classes configured in the policy map.

showpolicy-mapsession [output |
output |
uid]

Displays the inbound or outbound policy maps configured per session. Also displays the dynamic policy map that is applied to the subscriber session. If you do not specify any arguments, the command shows all sessions with configured policy maps, which might impact performance.

input indicates inbound policy maps.

output indicates outbound policy maps.

uid is the session ID.

showrunning-config

Displays the running-configuration file, which contains the current configuration of the router, including the default QoS policy.

showrunning-configinterfaceinterface

Displays the configuration of the interface you specify that is currently configured in the running-config file, including any service policies attached to the interface.

Example: Adding Parameterization of QoS ACLs

The following example shows how to parameterize the set source IP address and destination IP address parameter, set-src-dst-ip-in-acl, through CoA or Access-Accept messages. The QoS parameterized service is added in the parameterized QoS service RADIUS form:

VSA252 0b q-p-out=IPOne(1)((c-d,voip)13(10.10.1.0/28,10.3.20/29))
! The above command activates the service in a CoA message.
vsa cisco generic 1 string "qos-policy-out=add-class(sub,(class-default,voip),set-src-dst-ip-in-acl(10.10.1.0/28,10.3.20/29))"
! The above command activates the service in a Access-Accept message.

RADIUS Configuration

The following Cisco VSA is configured in a user profile on RADIUS. This VSA adds the class-default class to the QoS policy attached to the subscriber session for outbound traffic and shapes the class-default class to 120,000 bps.

RADIUS Access-Accept Message

The ISG receives the following RADIUS Access-Accept message. Notice that the above Cisco VSA configured in the user’s profile is present in the Access-Accept message and that the parent shaping rate has changed to 120,000.

ISG Transient Policy

The ISG copies the service policy named Parent currently applied to the session and creates a transient copy named New_Parent. While the parent shaping rate, as previously shown, changes to 120,000, the shaping rate displayed in the transient New_Parent policy is the old rate of 10,000, as seen in the following example. The child policy remains unchanged.

RADIUS Configuration

The following Cisco VSA is configured in a user profile on RADIUS. This VSA adds the class-default class to the QoS policy attached to the subscriber session for outbound traffic and shapes the class-default class to 120,000 bps.

ISG Transient Policy

The ISG copies the service policy named Parent currently applied to the session and creates a transient copy named New_Parent to which it makes the appropriate changes. Based on the Cisco VSA included in the CoA message, the ISG changes the shaping rate of the parent class-default class to 120,000 bps. However, the shaping rate displayed in the transient New_Parent policy is the old rate of 10,000, as seen in the following example. The child policy remains unchanged.

RADIUS Configuration

The following Cisco VSA is configured in a user profile on RADIUS. This VSA changes the policing rate of the Premium class in the Child policy. The Child policy is applied to the class-default class of the Parent policy.

ISG Transient Policy

The ISG copies the service policy that is currently applied to the session and creates a transient policy named New_Parent to which it makes the appropriate changes. Based on the Cisco VSA included in the Access-Accept message, the ISG adds the policing rate to the Premium traffic class. The Premium class is configured in the transient New_Child policy, which is applied to the New_Parent class-default class.

ISG Transient Policy

The ISG copies the service policy named Parent currently applied to the session and creates a transient copy named New_Parent to which it makes the appropriate changes. Based on the Cisco VSA included in the Access-Accept message, the ISG changes the policing rate of the Premium traffic class from 5000 bps to 200,000 bps. The Premium class is configured in the New_Child policy, which is applied to the New_Parent class-default class.

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

Feature Information for RADIUS-Based Policing

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to
www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Table 1 Feature Information for RADIUS-Based Policing

Feature Name

Releases

Feature Information

ISG: Policy Control: Policy Server: RADIUS-Based Policing

Cisco IOS XE Release 2.4

The RADIUS-Based Policing feature extends ISG functionality to allow the use of a RADIUS server to provide subscriber policy information.

In Cisco IOS XE Release 2.4, support was added for the Cisco ASR 1000 Series Router.

RADIUS-Based Policing Attribute Modifications

Cisco IOS XE Release 2.4

The RADIUS-Based Policing Attribute Modifications feature allows the RADIUS server to communicate with the ISG by embedding specific attributes in Access-Accept and CoA messages. RADIUS-based shaping and policing employs this exchange of attributes to activate and deactivate services, and to modify the active QoS policy applied to a session.

In Cisco IOS XE Release 2.4, support was added for the Cisco ASR 1000 Series Router.